Received renewal email, certbot renew says none to renew, actual cert says not due to renewal until two months from now

Hi everyone!

I been reading the community topics similar to this, but none of the solutions I've seen seem to apply to my case.

So I have a dummy server (Captive portal) that needs a valid certificate in order to work.

I used the manual method, since the Captive portal does not allow to install certbot: "sudo certbot certonly --manual -d portal.example.com"

When configuring it the first time around I created a CSR for a domain and a SAN, and validated the requests using CNAME entries on the public DNS domain.
The Server constantly complained that SANs where not supported, so when renovation time came, I split certificates for the root domain and for a subdomain instead of a SAN. Installed it and all is working fine ever since

But today I got an email warning me that I had 0 days left for the renewal of the certificate:

Hello,

Your certificate (or certificates) for the names listed below will expire in
0 days (on 29 Aug 17 09:34 +0000). Please make sure to renew
your certificate before then, or visitors to your website will encounter errors.

I went ahead and did a certbot renew yet got:

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/example.com.conf

Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/portal.example.com.conf

Cert not yet due for renewal

The following certs are not due for renewal yet:
/etc/letsencrypt/live/example.com.com/fullchain.pem (skipped)
/etc/letsencrypt/live/portal.example.com/fullchain.pem (skipped)
No renewals were attempted.

After this I opened the certificates that are installed on the captive portal and got to see that, yes they are not due to renewal at all:

Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
    Validity
        Not Before: Aug  4 15:00:00 2017 GMT
        Not After : Nov  2 15:00:00 2017 GMT
    Subject: CN=portal.hotelpalladium.com

So are the email warnings wrong? Did I screw up somewhere?

Or maybe I'm getting warnings from the first certificate (the one with SANs) since it uses the same root domain? If so how do I stop the warnings being sent to the email when it's not yet time?

Thanks in advance.

Hello @broadscha ,

You have issued 4 certificates for your domain, if you are already using the last certificates you should not worry about the e-mails:

2017/August/28 12:50:33 - Checking certs for hotelpalladium.com

I have found 4 non expired certificates for domain hotelpalladium.com and its subdomains *.hotelpalladium.com

CRT ID     DOMAIN (CN)                VALID FROM              VALID TO                EXPIRES IN  SANs
183946532  hotelpalladium.com         2017-Aug-04 16:02 CEST  2017-Nov-02 15:02 CET   66 days     hotelpalladium.com
                                                                                                  portal.hotelpalladium.com

183943292  portal.hotelpalladium.com  2017-Aug-04 17:00 CEST  2017-Nov-02 16:00 CET   66 days     portal.hotelpalladium.com

146533711  portal.hotelpalladium.com  2017-May-31 11:42 CEST  2017-Aug-29 11:42 CEST  0 days      portal.hotelpalladium.com

146531562  hotelpalladium.com         2017-May-31 11:34 CEST  2017-Aug-29 11:34 CEST  0 days      hotelpalladium.com

Cheers,
sahsanu

1 Like

Hi again,

So apparently the certificate loaded on the server is still valid, yet clients get a warning when loading the page of the captive portal saying that the connection is not secure and/or trust worthy.

Hi @broadscha,

Well you have valid certificates but that doesn't mean they are being used by your captive portal.

A screenshot of the error/warning could help. Also, what are the domains covered by that certificate?. You need to check them with your own browser.

Edit: If you are using the command line you could use below command to get the dates of the certificate served by your captive portal and the domains covered.

echo | openssl s_client -connect portal.hotelpalladium.com:443 -servername portal.hotelpalladium.com 2>/dev/null | openssl x509 -noout -text | grep -E '(DNS|Not )' | sed -e 's/^ *//g'

Cheers,
sahsanu

No, the certificate given is the valid one. See the following screenshot:

The text in red complains that the host name is not valid, since is different than the one contained on the certificate but that is not true since the machine that has te certificate installed has the proper hostname:

$ ssh admin@portal.hotelpalladium.com
admin@portal.hotelpalladium.com's password:
root@portal ~> hostname
portal.hotelpalladium.com
root@portal ~>

As of the open ssl command:

$ echo | openssl s_client -connect portal.hotelpalladium.com:443 -servername portal.hotelpalladium.com 2>/dev/null | openssl x509 -noout -text | grep -E '(DNS|Not )' | sed -e 's/^ *//g'
Not Before: Aug 4 15:00:00 2017 GMT
Not After : Nov 2 15:00:00 2017 GMT
DNS:portal.hotelpalladium.com
$

EDIT: I forgot to put the result from the openssl command.

Hi @broadscha,

The first error means that the web server is serving a certificate valid only for portal.hotelpalladium.com but the site you are connecting is another domain. What is the url you see in your browser when connecting to portal.hotelpalladium.com?, maybe it is being redirected to another domain.

As it is inside your network I can’t test the connection to your portal.

Do you have the same error using other browsers?.

Cheers,
sahsanu

That is the weird thing.

Depending on the browser I get different errors. Chrome on Samsung devices:

I can venture that is because Letsencrypt is not on the trust store of the device.

IOs Devices:

They load the Web form alright with is weird on itself.

@broadscha, seems you are not serving the intermediate certificate we need to know how do you configured your captive portal to specify the path to the certs.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.